1. Field of the Invention
The present application relates generally to data networking and computer software. More particularly, the present application relates to network identity management.
2. Description of the Background Art
A digital identity is a set of information about a user. The set of information may include, for example, identifiers (name, address, etc.), authenticators (social security number, etc.), and privileges (credit card numbers, etc.). Digital identity management is becoming increasingly complex and important in today's networked society.
There are various models for digital identity management. One model is based on a federated approach. Under this federated approach, there is no single entity operating as a centralized identity manager. Instead, support is provided for distributed storage and management of the identity information.
In a federated network, a “domain” may be defined as a group of connected computational devices that are administered as a unit with common rules and procedures. Domains include subjects that may be users or computer applications. Subjects may be authenticated by one domain of a federated network and be recognized and delivered personalized content and services in other domains of the federated network, without having to re-authenticate or sign on with a separate username and password. The identities of the users may be shared between the domains in order to provide a single sign on.
In a federated network, trust relationships exist between asserting and relying parties. FIG. 1 is schematic diagram depicting a trust relationship between an asserting party 102 and a relying party 104 in a federated network. Domains act as asserting parties to authenticate users and issue assertions about the identities of the authenticated users. Domains also act as relying parties which rely on the information provided by the asserting parties so as to allow users access to their resources and customize their behavior in user-specific ways. Each domain may trust multiple asserting parties, and each asserting party may provide authentication services to multiple relying parties.
It is highly desirable to improve methods, apparatus, and systems for network identity management. In particular, it is highly desirable to improve techniques for federated identity management.